• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
bevnjeff

about:blank hijack from coolwebsearch

36 posts in this topic

Like many others here, our IE start page has been hijacked to about:blank. Yesterday we ran Adaware, Coolwebshredder, and Hijackthis, and it "fixed" the problem. But, today, about:blank is back.

 

Here is our Hijackthis file:

 

Logfile of HijackThis v1.97.7

Scan saved at 10:42:14 PM, on 6/24/2004

[Outdated log removed]

Edited by WinHelp2002

Share this post


Link to post
Share on other sites

I have been trying to remove my home page hijacks for 7 months now, with varying degrees of success. I can restore my home page by finding and deleting the 31 kb dll file that gets created during the hijack, running hijackthis, and clicking the R1 and R0 entries, as well as one O2 entry. But, I cannot find the file that CREATES the dll file. Therefore, the hijack returns every 1-2 days.

 

I posted in June, but did not get a reply :( . I know you're all real busy, though, and I appreciate whatever help you can give me.

 

I read Mike's FAQ post, and the hijacked article, ran updated versions of adaware and spybot. I am "clean" right now, but I am always clean after running those programs, and I get un-clean shortly thereafter.

 

Here is my current hijackthis log:

 

Logfile of HijackThis v1.97.7

Scan saved at 1:06:56 PM, on 10/23/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE

C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\AIM5.5.3415\aim.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Netscape\Netscape\Netscp.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe

C:\Program Files\Coolwebshredder\Hijackthis\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

 

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\family\Application Data\Mozilla\Profiles\default\8o1ht4zm.slt\prefs.js)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"

O4 - HKLM\..\Run: [update 5300C] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe 5300C+

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM5.5.3415\aim.exe -cnetwait.odl

O4 - Startup: PowerReg SchedulerV2.exe

O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab

O16 - DPF: Yahoo! MLB StatTracker - http://aud5.sports.dcn.yahoo.com/java/y/mlbst8402_x.cab

O16 - DPF: Yahoo! NBA StatTracker - http://aud4.sports.yahoo.com/java/y/nbast8262_x.cab

O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud13.sports.yahoo.com/java/y/nflgcst1008_x.cab

O16 - DPF: Yahoo! NHL StatTracker - http://aud3.sports.yahoo.com/java/y/nhlst8242_x.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1083975488281

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars/customerxsigned33.cab

O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab

O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{F8CAE1D5-C336-4687-ABE8-8BBF7BB1C82D}: NameServer = 216.187.0.20 216.187.0.21

 

 

 

I am on dialup, but want to switch to hi-speed. I'm afraid to while I have a "visitor" in my computer, though.

 

Please help!

 

Thanks,

 

bevnjeff

Share this post


Link to post
Share on other sites

Can someone please help us with this hijack. We've had it since March, and are annoying close to getting rid of it (we think!).

 

Appreciated,

 

bevnjeff

Share this post


Link to post
Share on other sites

Greetings bevnjeff

So sorry you have been made to wait so long.

 

I am looking the log over and will get back to you soon.

 

Thank you so much for your patience.

Share this post


Link to post
Share on other sites

Please download the new version of CWShredder

Save it to your desktop.

Do not run it yet.

 

Please download FxAgentB

Follow Symantec's instructions for running it.

Do save the log file. I will want to see it.

 

- Reboot

 

Please run CWShredder. Be sure to click Fix as opposed to Scan Only.

 

- Reboot

 

Please post a new HijackThis log and the log that FxAgentB gave you.

Share this post


Link to post
Share on other sites

Thank you for your advice. Oh, and YAY SOX!!!

 

I did everything you asked, in the order you asked.

 

When I ran FxAgentB, it said I was not infected.

 

Log is:

 

Symantec Backdoor.Agent.B Removal Tool 1.0.1.2

 

 

Backdoor.Agent.B has not been found on your computer.

 

Here is my hijackthis file:

 

Logfile of HijackThis v1.97.7

Scan saved at 2:23:44 AM, on 10/29/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\AIM5.5.3415\aim.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Coolwebshredder\Hijackthis\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

 

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\family\Application Data\Mozilla\Profiles\default\8o1ht4zm.slt\prefs.js)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"

O4 - HKLM\..\Run: [update 5300C] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe 5300C+

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM5.5.3415\aim.exe -cnetwait.odl

O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab

O16 - DPF: Yahoo! MLB StatTracker - http://aud5.sports.dcn.yahoo.com/java/y/mlbst8402_x.cab

O16 - DPF: Yahoo! NBA StatTracker - http://aud4.sports.yahoo.com/java/y/nbast8262_x.cab

O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud13.sports.yahoo.com/java/y/nflgcst1008_x.cab

O16 - DPF: Yahoo! NHL StatTracker - http://aud3.sports.yahoo.com/java/y/nhlst8242_x.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1083975488281

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars/customerxsigned33.cab

O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab

O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{F8CAE1D5-C336-4687-ABE8-8BBF7BB1C82D}: NameServer = 216.187.0.20 216.187.0.21

 

Thanks again for your help!

 

--bevnjeff

Share this post


Link to post
Share on other sites

You are most welcome bevnjeff.

 

I see nothing in your log to indicate any problems. You never mentioned in your reply if you are still being hijacked or if their are any other issues. If all seems well now, please let me know. If not;

 

Please download DLLCompare HERE

 

Launch the program and place a check mark in the include subdirectories.

 

Click the Compare button and wait until it completes.

 

To reduce the number of files found and remove them from the list, please click on each of the files in the lower section to select them, then right-click on the file and select the option "Rescan".

 

With what file(s) remain, please select Make a Log of what was found button, and please post the log here in this thread.

 

Please download Registrar Lite HERE

Launch it and copy/paste the line below into it's address field and press enter.

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

In the right hand section the name AppInit_DLLs will be highlighted. Please double-click on the AppInit_DLLs entry then copy/paste the text found in the value field in this thread along with your DLLCompare log.

Share this post


Link to post
Share on other sites

Happy Hallowe'en! And, a great parade in Beantown yesterday!

 

Good to see the site up and running again.

 

Although my log is clean, I still get hijacked. When I do, a random dll file of 31kb gets placed into my system32 folder, and 9 registry items are created or changed. To "fix" the problem, I delete the dll file (I have to go to administrator account to do so), and I run hijack this to delete the R0, R1 entries, and to delete the one O2 entry that has the bad dll. This fixes my problem for a day or two, but it always returns. As a matter of fact, it's here now. The bad dll is lekifk.dll, and was created at 1:18 this morning.

 

I ran DLLCompare, and Registrar Lite, and am posting their results. I am also posting the hijackthis file, so you can see the 10 bad entries.

 

******************DLLCompare *************************

 

* DLLCompare Log version(1.0.0.125)

Files Found that Windows does not See or cannot Access

*Not everything listed here means you are infected!

________________________________________________

 

C:\WINDOWS\SYSTEM32\winceh.dll Thu Feb 26 2004 5:05:06p A.... 21,504 21.00 K

________________________________________________

 

1,864 items found: 1,864 files, 0 directories.

Total of file sizes: 455,516,888 bytes 434.41 M

 

Administrator Account = True

 

--------------------End log---------------------

 

 

***************Registrar LIte ***************

 

c:\windows\system32\winceh.dll

 

 

***********Hijackthis file****************

Logfile of HijackThis v1.97.7

Scan saved at 10:24:08 AM, on 10/31/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE

C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\AIM5.5.3415\aim.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\CWS\DllCompare.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Netscape\Netscape\Netscp.exe

C:\Program Files\Registrar Lite\rl.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Coolwebshredder\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\family\Application Data\Mozilla\Profiles\default\8o1ht4zm.slt\prefs.js)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {B868C7C2-AABC-4A2B-9E43-8546FF422FF8} - C:\WINDOWS\system32\lekifk.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"

O4 - HKLM\..\Run: [update 5300C] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe 5300C+

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM5.5.3415\aim.exe -cnetwait.odl

O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab

O16 - DPF: Yahoo! MLB StatTracker - http://aud5.sports.dcn.yahoo.com/java/y/mlbst8402_x.cab

O16 - DPF: Yahoo! NBA StatTracker - http://aud4.sports.yahoo.com/java/y/nbast8262_x.cab

O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud13.sports.yahoo.com/java/y/nflgcst1008_x.cab

O16 - DPF: Yahoo! NHL StatTracker - http://aud3.sports.yahoo.com/java/y/nhlst8242_x.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1083975488281

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars/customerxsigned33.cab

O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab

O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{F8CAE1D5-C336-4687-ABE8-8BBF7BB1C82D}: NameServer = 216.187.0.20 216.187.0.21

 

******************

Like I said, I put a check mark next to the R0, R1, and the third O2.

 

Thanks again for your help so far!

 

--bevnjeff

Share this post


Link to post
Share on other sites

Thank you bevnjeff for the logs, detailed information and your patience. The logs do indicate that your PC is infected with a very nasty variant of CWS.

 

I wll review all and get back to as soon as possible with a proposed fix.

Share this post


Link to post
Share on other sites

Sorry for my delay bevnjeff. I was out of town on business.

 

Please take your time in following the steps below. It is not as intimidating as it first appears.

 

 

Launch Windows Explorer, and navigate to C:\ and then create a new folder called "Hijack" and within that folder, create two new folders, one called 'Backups' and one called 'Junk'.

 

Please launch Registrar Lite then copy and paste this line in Reglite's address bar.

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

Select the "go" tab. Find the "Appinit_Dlls" key in the right hand pane and double click to find the "Value" data. Confirm that c:\windows\system32\winceh.dll still shows in the 'Value' field.

 

Now copy and paste the key below into reglite's address bar and click 'Go'.

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

 

Click on the Windows key to highlight it in blue and use the top menu File>Export and save both these files in the C:\Hijack\Backups folder.

 

Winkey.reg (Save as type: regedit4 .reg type)

Winkey.hiv (Save as type: Scroll to select-regedt32/WinAPI *hiv *dat files)

 

Navigate to C:\Hijack\Backups to confirm both files have been successfully saved.

 

Using the Registrar Lite program again, copy and paste the key below into reglite's address bar and hit 'Go'.

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Right-click on the Windows key in the left pane and rename it to "Notwindows". Then double-click "Appinit_Dlls" value in right pane and erase the data in the 'Value' box at the bottom of the new pane. The data to remove will be "winceh.dll".

 

hit 'Apply' and 'Ok' to set.

 

Now rename 'NotWindows' back to 'Windows' in the pane on the left.

 

Exit Registrar Lite and reboot your computer. If this fix worked, winceh.dll should not load on startup and should be visable in the folder C:\WINDOWS\System32.

 

Please download Winfile.zip.

 

Launch it and click File > Move

 

Copy and paste this into the 'From' box

 

C:\WINDOWS\system32\winceh.dll

 

Copy and paste this into the'To' box:

C:\Hijack\Junk\winceh.dll

 

Click OK. Exit Winfile and please look in C:\Hijack\Junk for the file "winceh.dll" Please let me know what you find in that folder.

Share this post


Link to post
Share on other sites

Bad news (well, for me, anyway). The winceh.dll file is not visible in the system32 file upon rebooting. It keeps re-showing up in the same place (in reglite) as it was before I followed your instructions. Interestingly, I went into regedit, just for a peek. When I click on AppInit_DLLs, under 'value data', it is blank.

Also, I tried to download the winfile.zip, but I was unable to do so -- I got this note:

 

HTTP1.1 STATUS 403 Remote Access to this object forbidden This file cannot be directly accessed from a remote site, but must be linked through the Brinkster Member's site.

 

Arrggghhhh! Now what? Help!

 

--bevnjeff

Share this post


Link to post
Share on other sites

CoolWebSearch and all it's many variants are one of the most cunning infections out there. The tools we have used so far have been successful in many of the infections exactly like yours. Don't be discouraged. Our arsenal is not empy by any means. We haven't lost one yet!

 

I think we are at a point now where I need to call in one of our experts to take a look at this. You will be contacted soon.

Share this post


Link to post
Share on other sites

Indrid_Cold has asked me to lend a hand ...

 

I would like to ascertain where we currently stand so can you please perform the following:

 

To anyone other than the originator of this topic: do not use this thread to try to fix your system or anyone elses by copying it - this is not an automatic fix and requires the logs to be properly interpreted.

 

Click here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.

Share this post


Link to post
Share on other sites

Thanks for offering to help us out, Phamtom.

 

I could not do what you asked. I downloaded findnfix.exe, but when I ran !Log! it went through a few dll's (maybe 10-15), and then "hung" on winbrand.dll. I noticed that in a file called list.txt, winbrand is the file directly before winceh.dll, and winceh.dll says "read error!".

 

--bevnjeff

Share this post


Link to post
Share on other sites

Despair not fellow citizens of Red Sox Nation:)

 

The email notification will sometimes fail to alert that a post has been answered. I am in touch with PGPhantom to let him know you have responded. I suspect you will be hearing from him soon.

IC -

Share this post


Link to post
Share on other sites

HI -- We got the same (non?) result in safe mode. No file called log.txt was created. Several files in tmplogs were created : dlltxx, file, info, list, test, and typesys. Also, in a folder called keys1, a file called winkey was created.

 

When I ran !log!, after several minutes, it started cycling through dll files. It stalled at winbrand.dll, which is the dll file alphabetically preceding winceh.dll. Winceh.dll seems to be a problem file. There is a "read error" in the list file.

 

Contents of files:

 

winkey---------------------------------------------------

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

file--------------------------------------------

 

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»

The list will produce a small database of files that will match certain criteria.

Ex: read only files, s/h files, last modified date. size, etc.

The filters provided and registry scan should match the

corresponding file(s) listed.

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Unless the file match the entire criteria, it should not be pointed to remove

without attempting to confirm it's nature!

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!

If in doubt, always search the file(s) and properties according to criteria!

 

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder

 

______________________________________________________________________________

***YOU NEED TO DISABLE YOUR ACTIVE ANTI VIRUS PROTECTION TO AVOID CONFLICTS!***

______________________________________________________________________________

 

......Scanning for file(s)...

*Note! The list(s) may include legitimate files!

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

 

»»»»» (*1*) »»»»» .........

»»Read access error(s)...

 

C:\WINDOWS\SYSTEM32\WINCEH.DLL +++ File read error

\\?\C:\WINDOWS\System32\WINCEH.DLL +++ File read error

 

»»»»» (*2*) »»»»»........

WINCEH.DLL Read Error!

 

»»»»» (*3*) »»»»»........

 

No matches found.

 

unknown/hidden files...

 

No matches found.

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

SNiF 1.34 statistics

 

Matching files : 0 Amount in bytes : 0

Directories searched : 1 Commands executed : 0

 

Masks sniffed for: *.DLL

 

»»»»»(*5*)»»»»»

 

 

 

Help!

 

--bevnjeff

Share this post


Link to post
Share on other sites

Sorry for the delay bevnjeff.

 

As one of the board's experts PGPhantom tends to be very busy and apparently email notification is still not informing him of your replies.

 

I will let him know you have replied and I would expect you will hear from him soon.

 

Thank you very much for your continued patience and understanding.

Share this post


Link to post
Share on other sites

Indrid, Phantom -- I hate to be a pest, especially since you are volunteers trying to help people, but I'm feeling abandonded here. I haven't heard anything in over a week.

 

Help!

 

Thanks

--bevnjeff

Share this post


Link to post
Share on other sites

You are not being a pest and I can assure you that you have not been abandonded. I have and will continue to monitor this thread until we have resolved your hijack.

 

PGPhantom, as with all of our volunteers, devotes as much of his free time as he can to the cause. Not seeing him here for the last few days would lead me to believe that other matters are preventing him from doing so.

 

In hopes of keeping some kind of continuity to this thread, I have been reluctant to contact another one of our CWS experts to intervene. Now, with not knowing PGPhantom's situation nor when he might have the time to return, I shall do so.

 

I, being a victim of more then one hijack, know how frustrated you feel and nothing would please me more then to see your issues resolved. Please keep the faith while I seek other avenues in resolving your problems.

Share this post


Link to post
Share on other sites

Some new information has come to light on the specific variant of your infection. I am currently writing up another fix and will be back with you soon.

Share this post


Link to post
Share on other sites

Please navigate to the folder we had previously created c:\hijack. Double-click on the winkey.reg file that we had created earlier. When it prompts, if you would like to import/merge the data, click the Yes button.

 

Launch Registrar Lite

 

Enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows into the address field and press enter. On the left side of the screen the Windows key should be selected and highlighted in purple/blue.

 

While the Windows key is selected (highlighted purple/blue) in the left window, click on File and then Import.

 

Browse to c:\hijack again and select the winkey.hiv file that we created earlier and click the Open button. Then click the OK button.

 

Exit Registrar Lite

 

Reboot

 

Launch DLLCompare and run per my previous instructions. Please make a log and then post it here.

Share this post


Link to post
Share on other sites

OK --here is the dllcompare logfile.

 

 

* DLLCompare Log version(1.0.0.125)

Files Found that Windows does not See or cannot Access

*Not everything listed here means you are infected!

________________________________________________

 

C:\WINDOWS\SYSTEM32\winceh.dll Thu Feb 26 2004 5:05:06p A.... 21,504 21.00 K

________________________________________________

 

1,425 items found: 1,425 files, 0 directories.

Total of file sizes: 284,082,050 bytes 270.92 M

 

Administrator Account = True

 

--------------------End log---------------------

 

 

Looks like my trouble spot is the winceh.dll file. Yes? But, how to remove it?

 

 

Regards,

 

--bevnjeff

Share this post


Link to post
Share on other sites

That is the hostile file. Never been any doubt about that. The rub has been in removing it.

 

Before moving on and trying this other fix, I wanted to make sure that the file name had not changed.

 

I want to be clear where we are now at:

You have followed my last instructions to the letter and had no difficulties in restoring both of those reg files that were backed up. You rebooted, ran DLLCompare and we found that the hostile file is still there and under the same name.

 

If this is not correct, please let me know.

 

We had to backup a few steps before taking on the next fix and it is important that I know that both of those backup files have been restored with no problems.

 

A try at a new fix will follow soon.

Share this post


Link to post
Share on other sites

Ok first download pocket killbox from here:

 

http://download.broadbandmedic.com/

 

run it.

 

paste this onto the white line.

 

 

C:\WINDOWS\SYSTEM32\winceh.dll

 

turn on the delete on reboot button.

 

hit the red x.

it will confirm the delete on reboot. hit yes.

 

 

when instructed to reboot do so.

 

after rebooted run cwshredder 1 more time.

 

RUn a new dllcompare log and hijackthis log.

post it here

Share this post


Link to post
Share on other sites

Wow! Can it be? Am I clean? Killbox killed my bad file (I think).

 

Here's my logs:

 

* DLLCompare Log version(1.0.0.125)

Files Found that Windows does not See or cannot Access

*Not everything listed here means you are infected!

________________________________________________

 

O^E says: "There were no files found :)"

________________________________________________

 

1,424 items found: 1,424 files, 0 directories.

Total of file sizes: 284,060,546 bytes 270.90 M

 

Administrator Account = True

 

AppInit_DLLs value = c:\windows\system32\winceh.dll (not hidden)

--------------------End log---------------------

 

************************************************************

 

Logfile of HijackThis v1.97.7

Scan saved at 1:38:08 AM, on 11/24/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE

C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\AIM5.5.3415\aim.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\DLLCOMPARE\DllCompare.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Coolwebshredder\Hijackthis\HijackThis.exe

 

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\family\Application Data\Mozilla\Profiles\default\8o1ht4zm.slt\prefs.js)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"

O4 - HKLM\..\Run: [update 5300C] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe 5300C+

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM5.5.3415\aim.exe -cnetwait.odl

O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab

O16 - DPF: Yahoo! MLB StatTracker - http://aud5.sports.dcn.yahoo.com/java/y/mlbst8402_x.cab

O16 - DPF: Yahoo! NBA StatTracker - http://aud4.sports.yahoo.com/java/y/nbast8262_x.cab

O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud13.sports.yahoo.com/java/y/nflgcst1008_x.cab

O16 - DPF: Yahoo! NHL StatTracker - http://aud3.sports.yahoo.com/java/y/nhlst8242_x.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1083975488281

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars/customerxsigned33.cab

O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab

O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

 

 

Anxiously awaiting your verdict re my computer -- preparing to be eternally grateful!

 

--bevnjeff

Share this post


Link to post
Share on other sites

Many thanks shadowwar for your expertise and assistance.

 

I want to say that things are looking good, but I will defer and wait for shadowwar's read on things. Once we get the okay, I will be back to offer advice on some things you can do to protect yourself against future infection.

Share this post


Link to post
Share on other sites

ok can you update your hijackthis to 198.2

 

After you scan with that there should be an 020 value for appinit.

 

check and fix that one.

 

Than post the new log with 198.2

Share this post


Link to post
Share on other sites

Okay, I did what you requested. I updated hijackthis, ran it, and cleared out the O20 line (it had a winceh.dll reference).

 

 

Here's my new log:

 

 

Logfile of HijackThis v1.98.2

Scan saved at 5:03:10 PM, on 11/24/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE

C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\AIM5.5.3415\aim.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE

C:\DOCUME~1\family\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

 

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\family\Application Data\Mozilla\Profiles\default\8o1ht4zm.slt\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"

O4 - HKLM\..\Run: [update 5300C] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe 5300C+

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM5.5.3415\aim.exe -cnetwait.odl

O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM5.5.3415\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab

O16 - DPF: Yahoo! MLB StatTracker - http://aud5.sports.dcn.yahoo.com/java/y/mlbst8402_x.cab

O16 - DPF: Yahoo! NBA StatTracker - http://aud4.sports.yahoo.com/java/y/nbast8262_x.cab

O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud13.sports.yahoo.com/java/y/nflgcst1008_x.cab

O16 - DPF: Yahoo! NHL StatTracker - http://aud3.sports.yahoo.com/java/y/nhlst8242_x.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars/customerxsigned33.cab

O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab

O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{F8CAE1D5-C336-4687-ABE8-8BBF7BB1C82D}: NameServer = 216.187.0.20 216.187.0.21

 

 

THanks for your help!

 

--bevnjeff

Share this post


Link to post
Share on other sites

Excellent news bevnjeff. Well done!

 

You need to move that latest copy of HijackThis from that temp folder or risk losing it. Why not move to C:\Program Files\Coolwebshredder\Hijackthis\HijackThis.exe.

 

After moveing HJT;

 

- Click Start

- Run

- Type "cleanmgr"

 

Select the following:

1) Temporary Internet Files

2) Recycle Bin

3) Temporary Files

 

Some parting advice:

 

You are not running a firewall. This is your first line of defense against attacks. I would strongly suggest you install one immediately.

I recommend this free version of ZoneAlarm from Zone Labs.

 

To reduce the potential for spyware infection in the future, I strongly recommend installing the following free products;

 

SpywareBlaster:

It will prevent spyware from being installed and consumes no system resources.

SpywareBlaster

 

SpyWareGuard:

It offers realtime protection from spyware installation attempts.

SpywareGuard

 

IE/Spyad:

It places over 4000 websites and domains in your IE's restricted zone.

IE-SPYAD

 

I would also strongly recommend that you read this thread written by Tony Klein.

So how did I get infected in the first place

 

Stay safe out there bevnjeff!

Share this post


Link to post
Share on other sites

Indrid -- thank you for those suggestions. I will install a firewall, as well as moving hijackthis away from the temporary location. I wil also download the protection programs you suggested.

 

But -- more importantly -- a HUGE THANK YOU to you, to Phantom, and to Shadowwar for your help!! I think I am spywarefree, for the first time since March. I'll still be holding my breath each day for a while, but it sure seems like everything you walked me through, worked!

 

I definitely will be making a donation to the cause, as soon as I let that breath out, as you're all worth it!

 

Once again, MANY MANY THANKS!!

 

--bevnjeff

Share this post


Link to post
Share on other sites

You are most welcome bevnjeff and thank you for your kind offer of a donation. Donations insure that forums like this will always be around to thwart the continuing efforts of those purveyors of scumware.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0